---

- name: "1.7.1.1 | L2 | PATCH | Ensure SELinux is installed"
  package:
      name: libselinux
      state: present
  when:
      - rhel9cis_rule_1_7_1_1
  tags:
      - level2-server
      - level2-workstation
      - scored
      - patch
      - rule_1.7.1.1

- name: "1.7.1.2 | L2 | PATCH | Ensure SELinux is not disabled in bootloader configuration"
  replace:
      dest: /etc/default/grub
      regexp: '(selinux|enforcing)\s*=\s*0\s*'
      replace: ''
  register: selinux_grub_patch
  ignore_errors: yes
  notify: grub2cfg
  when:
      - rhel9cis_rule_1_7_1_2
  tags:
      - level2-server
      - level2-workstation
      - scored
      - patch
      - rule_1.7.1.2

- name: "1.7.1.3 | L2 | PATCH | Ensure SELinux policy is configured"
  selinux:
      conf: /etc/selinux/config
      policy: "{{ rhel9cis_selinux_pol }}"
      state: enforcing
  when:
      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_7_1_3
  tags:
      - level2-server
      - level2-workstation
      - scored
      - selinux
      - patch
      - rule_1.7.1.3

- name: "1.7.1.4 | L2 | PATCH | Ensure the SELinux state is enforcing"
  selinux:
      conf: /etc/selinux/config
      policy: "{{ rhel9cis_selinux_pol }}"
      state: enforcing
  when:
      - not rhel9cis_selinux_disable
      - rhel9cis_rule_1_7_1_4
  tags:
      - level2-server
      - level2-workstation
      - scored
      - selinux
      - patch
      - rule_1.7.1.4

- name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist"
  block:
      - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Find the unconfined daemons"
        shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
        register: rhelcis_1_7_1_5_unconf_daemons
        failed_when: false
        changed_when: false

      - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on no unconfined daemones"
        debug:
            msg: "Good News! There are no unconfined daemons found on your system"
        when: rhelcis_1_7_1_5_unconf_daemons.stdout | length == 0

      - name: "1.7.1.5 | L2 | AUDIT | Ensure no unconfined daemons exist | Message on unconfined daemones"
        debug:
            msg: "Warning! You have unconfined daemons: {{ rhelcis_1_7_1_5_unconf_daemons.stdout_lines }}"
        when: rhelcis_1_7_1_5_unconf_daemons.stdout | length > 0
  when:
      - rhel9cis_rule_1_7_1_5
  tags:
      - level2-server
      - level2-workstation
      - audit
      - rule_1.7.1.5

- name: "1.7.1.6 | L2 | PATCH | Ensure SETroubleshoot is not installed"
  package:
      name: setroubleshoot
      state: absent
  when:
      - rhel9cis_rule_1_7_1_6
      - "'setroubleshoot' in ansible_facts.packages"
  tags:
      - level2-server
      - scored
      - selinux
      - patch
      - rule_1.7.1.6

- name: "1.7.1.7 | L2 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
  package:
      name: mcstrans
      state: absent
  when:
      - rhel9cis_rule_1_7_1_7
  tags:
      - level2-server
      - level2-workstation
      - scored
      - patch
      - rule_1.7.1.7